eDiscovery Daily Blog

• July 16, 2019

Now, we’re talking some serious money!  In January, we covered the first big fine for failing to comply with Europe’s General Data Protection Regulation (GDPR) when France’s data protection regulator, the Commission nationale de l’informatique et des libertés (CNIL), issued a €50 million fine (about $56.8 million) fine to Google for failing to comply with GDPR.  Now, we have a new fine being proposed which is more than four times that amount.

As discussed by Sharon Nelson in her excellent Ride the Lightning blog (British Airways Faces Record Fine After Data Breach), the New York Times (subscription required) reported on July 8th that British authorities have said that they intend to order British Airways to pay a fine of nearly $230 million for a data breach last year, the largest penalty against a company for privacy lapses under GDPR.

Poor security at the airline allowed hackers to divert about 500,000 customers visiting the British Airways website last summer to a fraudulent site, where names, addresses, login information, payment card details, travel bookings and other data were taken, according to the Information Commissioner’s Office, the British agency in charge of reviewing data breaches.

In a statement British Airways said it was “surprised and disappointed” by the agency’s finding and would dispute the judgment, which isn’t final regarding the amount.

As we’ve noted many times on this blog, GDPR allows regulators in each European Union country to issue fines of up to 4 percent of a company’s global revenue for a breach. And by acting against an iconic British brand, officials showed that enforcement would not be limited to American-based tech companies, which have been seen as a primary target.

Before GDPR, fines by the Information Commissioner’s Office were capped at 500,000 pounds, or about $625,000. That was the fine it imposed on Facebook last year for allowing Cambridge Analytica to harvest information on millions of users without their consent. However, Facebook and Google are among other companies currently under investigation by the European authorities over breaches of the GDPR (despite previous fines before and after GDPR went into effect, respectively).

The large proposed fine against British Airways is thought to be based on the fact that this was an avoidable breach caused by alleged sloppy security and organizational practices.

As noted above, the British decision to fine British Airways £183.5 million, worth about 1.5 percent of the airline’s annual revenue, is not final. The agency said it would “carefully consider” responses from the airline and others to its penalty before issuing a final decision.  Even if it’s reduced, it seems inevitable to be a new record for GDPR fines (at least for now).

So, what do you think?  Do fines like this cause your organization to re-evaluate your own security policies?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.